Krebs on Security

In-depth security news and investigation

Antivirus is Dead: Long Live Antivirus!

An article in The Wall Street Journal this week quoted executives from antivirus pioneer Symantec uttering words that would have been industry heresy a few years ago, declaring antivirus software “dead” and stating that the company is focusing on developing technologies that attack online threats from a different angle.

Ads for various crypting services.

This hardly comes as news for anyone in the security industry who’s been paying attention over the past few years, but I’m writing about it because this is a great example of how the cybercrime underground responds to — and in some cases surpasses — innovations put in place by the good guys.

About 15 years ago, when the antivirus industry was quite young, there were far fewer competitors in the anti-malware space. Most antivirus firms at the time had a couple of guys in the lab whose job it was to dissect, poke and prod at the new crimeware specimens. After that, they’d typically write reports about the new threats, and then ship “detection signatures” that would ostensibly protect customers that hadn’t already been compromised by the new nasties.

This seemed to work for while, until the smart guys in the industry started noticing that the volume of malicious software being released on the Internet each year was growing at fairly steady clip. Many of the industry’s leaders decided that if they didn’t invest heavily in technologies and approaches that could help automate the detection and classification of new malware threats, that they were going to lose this digital arms race.

So that’s exactly what these firms did: They went on a buying spree and purchased companies and technologies left and right, all in a bid to build this quasi-artificial intelligence they called “heuristic detection.” And for a while after that, the threat from the daily glut of malware seemed to be coming under control.

But the bad guys didn’t exactly take this innovation laying down; rather, they responded with their own innovations. What they came up with is known as the “crypting” service, a service that has spawned an entire industry that I would argue is one of the most bustling and lucrative in the cybercrime underground today.

Put simply, a crypting service takes a bad guy’s piece of malware and scans it against all of the available antivirus tools on the market today — to see how many of them detect the code as malicious. The service then runs some custom encryption routines to obfuscate the malware so that it hardly resembles the piece of code that was detected as bad by most of the tools out there. And it repeats this scanning and crypting process in an iterative fashion until the malware is found to be completely undetectable by all of the antivirus tools on the market.

Incidentally, the bad guys call this state “fully un-detectable,” or “FUD” for short, an acronym that I’ve always found ironic and amusing given the rampant FUD (more commonly known in the security industry as “fear, uncertainty and doubt”) churned out by so many security firms about the sophistication of the threats today.

In some of the most sophisticated operations, this crypting process happens an entirely automated fashion (the Styx-Crypt exploit kit is a great example of this): The bad guy has a malware distribution server or servers, and he signs up with a crypting service. The crypting service has an automated bot that at some interval determined by the customer grabs the code from the customer’s malware distribution server and then does its thing on it. After the malware is declared FUD by the crypting service, the bot deposits the fully crypted malware back on the bad guy’s distribution server, and then sends an instant message to the customer stating that the malware is ready for prime time.

Crypting services are the primary reason that if you or someone within your organization is unfortunate enough to have opened a malware-laced attachment in an email in the first 12-24 hours after the bad guys blast it out in a spam run, there is an excellent chance that whatever antivirus tool you or your company relies upon will not detect this specimen as malicious.

In short, as I’ve noted time and again, if you are counting on your antivirus to save you or your co-workers from the latest threats, you may be in for a rude awakening down the road.

Does this mean antivirus software is completely useless? Not at all. Very often, your antivirus product will detect a new variant as something akin to a threat it has seen in the past. Perhaps the bad guys targeting you or your organization in this case didn’t use a crypting service, or maybe that service wasn’t any good to begin with.

In either case, antivirus remains a useful — if somewhat antiquated and ineffective — approach to security. Security is all about layers, and not depending on any one technology or approach to detect or save you from the latest threats. The most important layer in that security defense? You! Most threats succeed because they take advantage of human weaknesses (laziness, apathy, ignorance, etc.), and less because of their sophistication. So, take a few minutes to browse Krebs’s 3 Rules for Online Safety, and my Tools for a Safer PC primer.

Oh, and check out the Wall Street Journal piece that prompted this rant, here.

This entry was posted on Wednesday, May 7th, 2014 at 12:28 am and is filed under Other.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

sometimes you hide your code to prevent other people from stealing from you.

it’s not a perfect solution to protecting intellectual property, and i certainly wouldn’t endorse it, but i know that some people do use this technique.

i’ve even heard of a crypting product years ago that used the same algorithm (MtE) that a virus writer named Dark Avenger created and used in his viruses. Alan Solomon told me the legal ramifications of false alarming on legit binaries encrypted with that algorithm was what kept Dr Solomons Anti-Virus from simply alerting on the the MtE engine itself in order to catch all the malware that used it.

I’m not worried about a few software devs having some issues; using crypter-like methods to “hide” your code is a lot like walking into a convenience store wearing a ski mask; don’t be surprised when the police or “overzealous” police suddenly show up to escort you to the quarantine folder.

The developers would simply have to adapt in their ways, once enough security applications have adopted the technique.

I think users will hate you more, if you fail to catch malware, because you gave a free pass to software trying to conceal its purpose.

Worth mentioning so we know, their exits some module of which are very close to impossible for AV to see any trace of encrypted data in the binary and the decryption of the payload into memory will happen just like magic with a simple genuine algorithm , the Issue is little complex than we think.

Wrong, svefehd. As Jerry pointed out, “lay” is a transitive verb, and it is therefore used, rather than “lie,” when a direct object follows. The direct object could be “your arms,” as in “You lay down your arms,” and it could also be “yourself,” as in “You lay yourself down.” Both examples are correct. Recall the child’s prayer: “Now I lay [not lie] me down to sleep.” The child could either “lie down” or “lay me down.” Both are correct. What he can’t do, grammatically speaking, is “lay down.”

Great article as always. Customer education and layered security is the best approach. Helps to read your blog to stay abreast of schemes we may not have know that someone communicated to you. Keep up the good work!!!

Yeah, I suppose I should really focus in and nit-pick one part of someone’s reply and completely ignore everything else they said. That’s a far more sensible option and certainly not a complete waste of everyone’s time.

I just read your 3 rules for PC safety and they bring up a question. When I open windows mail it automatically goes into send and receive, when the new mail is shown it most often opens the most recent mail and quite often also opens the attachment as well if there is one. Since opening unwanted mail is a bad thing this seems dangerous how can I make it stop.

A former employee of Symantec – and Trend Micro, and of other security companies, I can tell you that the better AV products stopped relying on file scanning as the primary means of protection years ago. The better solutions – BitDefender, Kaspersky, Symantec (Norton), and others all provide layers of protection.

The free av products typically rely on file scanning. The suites also include file reputation (has that file been seen before and is is assocated in with malicious type behavior), source reputation, heauristics, IPS, traffic monitoring…..

The point is that the phrase “AV is dead” is meaningless – as are those AV tests that only look at file scanning.

What the security industry really needs is a well funded, independent source of efficacy tests. Most of the efficacy testing is paid for by the vendors – and testing this stuff is very expensive. I used to help manage some of the competitive testing at an AV company – so I know how they stack the deck. The magazines that review these products long ago stopped doing independent testing.

There are big differences in detection rates between security products – good luck trying to find the data.

that being said, it’s not easier than compiling a list of all the bad software out there, it’s actually much harder for 2 reasons:
1) there are orders of magnitude more good binaries than bad, and the number of good binaries is increasing orders of magnitude faster than the bad ones (see here http://anti-virus-rants.blogspot.com/2008/05/bad-really-is-in-minority.html)
2) the only criteria we have for declaring something is good is that we can’t find anything bad in it, so we’re still left with looking for the bad things, even when compiling a list of good things.

I have Windows Parental Control application white list turned on my honey pot – it does pretty well. It only worries about the executables already on the machine; any thing new tries to run, it gets squashed. It seems to work very well, and I still have good functionality. If I have something I need to run, I allow it in the administrative account. Of course there is always the UAC also.

I find that a good HIPs goes a long way too. I’m beginning to think that is almost all Emisoft uses on their anti-malware product. Anti-virus is dead – long live the anti-malware! 😀

You’re right, and I’m not surprised. Really, whitelisting’s best use is in cases where a workstation’s – or server’s – functionality is strictly defined, and only certain executables are ever supposed to run with few to no exceptions. That’s way more often the case with corporate/enterprise systems, and very rarely so with general use home systems. Too much general functionality is demanded of home computers and mobile devices to make whitelisting truly practical. So while it’s attractive, it ends up being so blasted time consuming that it drives an end-user crazy. And risks having them relax security in order to end the aggravations.

It has its positives, but all I have to think about is making my mother, or various aunts implement this and I can see what a support burden it would be.

I’ve often liked the idea behind Tripwire i.e. create a baseline hash of executable and monitored files when in a known safe, not-compromised state, then regularly rerun those hashes and see what’s changed, then flag it for examination. Problem is, on the individual workstation level that’s even more time-consuming than straight-out whitelisting, and will often give tons of false positives. Enterprise Tripwire would of course have automation tools, but that’s too big a cost to the end user, not to mention too big a burden.

I don’t know what the solution is. I’ve heard many suggestions converging on cloud computing and eventually virtualizing the entire user profile and desktop experience, but I’m sort of wary about those ideas. I just don’t know how to solve the problem.

My whitelisting approach isn’t too difficult. Stuff is whitelisted by where it’s located in the filesystem. If it’s located where only an elevated Admin could put it, then it is allowed. Non-Admins or unelevated Admins can use what’s in those locations, but they (or something exploiting their limited powers) cannot put new stuff where execution is allowed* Anything that colors outside those lines is arbitrarily denied.

Is it perfect? No. Some software is *designed* to color outside the lines. The Steam game client and the consumer version of Google Chrome are a couple offenders. Definitely power-user territory for the home user. As you move across the spectrum from home to SOHO to SMB to enterprise, I think it gets more practical. This does assume the Admin rights are in trustworthy hands to start with, but if they’re not, you’re sunk regardless.

*unless it can pull off a privilege escalation or a social-engineering technique to trick them into elevating. But that would never happen, no sir 😉

And who’s going to pay to test every build of every piece of software for every OS for every architecture out there?

The creator? There goes the open source movement and, therefore, the internet. And all small companies and start ups. Hell, I doubt even the big companies would be able to afford it. Innovation would die. Profit margins would dive.

The buyer? Many of them won’t shell out for existing AV products; no-one’s going to pay enough to cover even the bureaucratic cost of scanning very piece of software used, let alone cover the cost of the actual scanning process.

And if it was done, what would happen? The bad guys would start writing nice little free utilities that turned bad a few weeks later. How do you test software that parses rulesets? That exhibits odd bugs in certain circumstances? We fail to find bugs when software has been written with the best intentions, we have no hope of finding bugs that have been deliberately, discretely added.

Savant Protections makes a pretty good whitelisting product, it does require some configuration and testing when you first get going but after that it does pretty good at preventing new changes. Of course for the best results you have to make pretty narrow filters which can cause problems on systems that have a lot of changes happening all the time.

Bad, bad propaganda! Anti Viruses must die, they destroy regular software products of different small companies (they simply say that that exe is a malware and all is finished for that developer). Who are these AV companies to make unfair practice when they want to do it ?! ha ?!

Curious. Brian, in your 3 Tips section, you mention Download.com.
Have you ever tried to download something from that C|NET site? OMG… the site may have a legitimate app to download, but the ads mimic the download buttons too well. Like a magazine that feels it is immune from the ads it sells space to (aka income), I refrain from web sources that propogate and rather, visit the original creator’s home.

I think C|net needs a swift hit on their income to realize how they contribute to the issue of end-users getting taken. Even a saavy person will have to hesitate on d/l where the link isn’t what it appears.

Adservers, and advertisers should also be held accountable for their “poorly” crafted ads and servers hosting them. And how some apps (say for iPhone) incorporate ads as an income source, some ads are so poorly designed or obnoxious that, the user will not take the product as “reliable”, “trustworthy” or effective. Go the pay route or enlist the ads that aren’t headaches.
Plus the news that in the future, Google doesn’t want any URL indicators? So we won’t know where we are?

I can’t help but reply here, because that whole CBS takeover of CNET, ZDNet, and Tech Republic is a thorn in my side. Because of their greed, they’ve practically ruined all of those formerly popular assets; I can’t log into most of their discussion because of all the attempted page redirects, and malicious ‘malvertisements’ my browser gets hit with when I lower the defenses so I can post over there. So it isn’t just the downloads that are a disaster, but the whole CBS family that is going down hill. It makes me very angry, because those sites used to be my favorite hang outs. It will just be a matter of time before the robber barons soak them for all they’re worth, and throw them into the garbage dump of history.

Software like PELock, Themida, VMprotect, Armadillo, Obsidium are used to protect legit software products against cracks, patches, keygens and all kind of nasty stuff from the hands of crackers.

But when someone wants to use our products they usually find themselves in troubles because of the low quality antivirus products who tags protected software as a virus.

I have lost many customers because they wouldn’t accept this to happen to their final products (imagine someone downloads their software and antivirus warning pops up – it’s a disaster for software maker), and there are so many antivirus products on the market it’s virtually impossible to cooperate even with a small number of their developers (I don’t even have to tell you it’s hard or even impossible to reach them and work out some solution).

There’s a light at the end of this road called TAGGANT technology, but still I think many antivirus products are low quality and tags everything suspicious as a virus without any decent proof (hash, signature from the known malware, behavior analysis or anything that clearly would state it’s a malware).

I think antivirus products works this way so they can earn more money from their customers, it’s always easier to tag something as a virus then properly analyze the file – it would require more work from the antivirus developers.

I’ve been working in the past for several antivirus companies and I know how they treat it – without much attention. One funny example – one antivirus company claimed they are supporting detection of my exe-protector (so they can scan the protected file content beneath the protection layer) but I didn’t even spoke to any of their developers and they didn’t even bought the license of my software – they either had to analyze a limited demo version of my protector or have used carded copies of my software released to the Internet. That’s how much they care 😉

PS. I don’t use any antivirus product – after my experiences I think it’s a garbage software that slows down entire PC, it cannot properly detect legit protection technologies and in the end can’t even protect against latest malware that is properly tested against antivirus products – so what’s the point of using something like that? The answer is simple – none 😉

You still don’t believe me? Read about Stuxnet – it wasn’t detected for months by any antivirus product until someone manually analyzed the thing and add detection signatures to the antivirus products. Do you think it’s different for other complex malware? Think again.

Most users go to CNET and read the user reviews on there. It would promote your product if you would submit it to download.com for dispersal. Your Armadillo has no user reviews even though it is available. I’ve always taught my clients to regard products with no reviews as suspicious, and to watch out for products with canned reviews that are obviously from spammers, or shills working for the company.

It is kind of a what comes first the chicken or the egg? I realize that, but that is the reality of new software in the market. You could always try File Hippo or majorgeeks, I’m not sure what it takes to get your software listed on those sites, but they are some the best!

“Software like PELock, Themida, VMprotect, Armadillo, Obsidium are used to protect legit software products against cracks,”

That may be the intention, however, they obscure the code, or include non-deterministic self-modifying code. They can obscure malicious behavior, and crackers still manage to defeat the “protections”, anyways.

I am not willing to use or recommend any software product that uses means to obscure the executable image and prevent or deter analysis of what the software does at a low level, when run on my CPU… it is definitely not legitimate, even if the goal intended to be accomplished of deterring software piracy is legitimate: there is a problems with the means, that is: attempted concealment of the binary code being executed is never legitimate.

“Read about Stuxnet – it wasn’t detected for months by any antivirus product until someone manually analyzed the thing and add detection signatures to the antivirus products.”

What you have there is called an outlier; the vast majority of threats antimalware has to deal with are nothing like stuxnet. The detection rates for the AV-comparatives shown for Kapersky, Emsisoft, etc, are pretty compelling.

Although… at 99%, you are still expected to be infected after a few attacks, unless you combine multiple malware detection methodologies, including whitelisting, patching, and the use of exploit mitigation tools such as EMET and additional non-standard sandboxes (beyond protections the attacker will expect).

It seems any solution has to run in the kernel space to have a ghost of a chance of resisting manipulation of malware in the 1st place. Most of the successful players have move into that tactic for now. Tomorrow – all bets could be off!

Unwanted software is unwanted, regardless whether the goal is to compromise the machine or just subvert normal user behavior so that they cannot control some product they ostensibly paid for. Sounds like the AV is working as intended, preventing hidden system level changes the purchaser probably didn’t know about or want to begin with.

I feel AV is like a smoke detector, by the time it goes off the house is already on fire, maybe enough time to throw a chair thru the window and get the hell out.Or if the burglars trip the alarm i may have enough time to put on a robe before the guys with guns and ski masks are bedside.Most of the people in my city have little more than Windows , glass Windows to protect them from crazed punks and wild animals…. which are constantly roaming, probing, looking for one small crack to slip inside.

I found this a really valuable post. It’s interesting that the WSJ writer didn’t bother to discuss the reasons why antivirus is dead as this post did. He just threw it out there with no context. I think the issue is much bigger than just antivirus. All signature based solutions face the same issues. For example WAF, IDS, etc that are based on signatures are also vulnerable to obfuscation attacks. I’ve watched dozens of YouTube videos on how to quickly walk around these devices. Feels like there’s going to be a seismic shift in IT security strategies over the next couple of years as the industry moves away from signature-based technologies.

As mentioned previously, the fact that an executable file is obfuscated or encrypted is in itself an indication of a suspicious file. If there are also other suspicious indications (such as location on the computer, file size, detail registered with the operating system, an invalid digital signature, a bad file “envelope”, and other common sense indications, that adds more validity to the detection as malware. And this can be done without file parsing and complicated techniques like emulation or sandboxing. The AVs need to work smarter, not harder.

Often it doesn’t even appear to be an executable file however. An example is the Win32/Pdfjsc PDF files that exploit Adobe Acrobat. There are endless varieties of these and the signatures can’t keep up. They attach the pdf to a spoofed internal email address (such as a FAX email address) and it will often be opened. With signature based security it’s an arms race you’ll always eventually loose.

It is interesting to observe the reaction in my honeypot for those attacks. I had Foxit installed – the attack failed – my HIPS grabbed it, and it was all over! Sometimes it is good to either use applications with fewer vulnerabilities, or at least keep the ones that do, updated the instant a patch comes out. Auto updaters can help here – even if they can’t do the update, they can alert you to the patch.

I’ve seen many attacks fail just running as a limited user, on a Windows machine running NT5 or 6, as long as the latest updates for everything installed is in force.

What I found in email laced malware is that if anyone bother to read the “riot” story that it has bad spelling, punctuations with funny sounding names (I even heard of well known agency heads knowing full well they did not write it) that I automatically delete it.

One of the reason why they put out these malware is that by the time the AV finds it a problem it is too late so they put out a patch to cover it. Basically it’s an arm’s race between the good and bad guys.

Whitelisting (adaptive & intelligent) is the only hope for future malware defense. A combination of whitelisting and blacklisting should now be standard in any environment where endpoint security is taken seriously. Bit9, Savant Protection, Lumension, to name a few. More AV vendors need to get on board…

To be honest, most av software will detect these crypted malware programs due to their so obvious methods of infection. AV software does not rely only on signatures, calls to the the kernel and other IO are all monitored and will result in at least a notification to the user from the av software in most cases. Layers… of course, for companies that is easy, for personal computers at home, layers normally include a simple hardware router and firewall that may do inline scanning if its capable and then software on the OS.

I disagree. In my experience they do not detect these programs, nor their activity. If you rely on heuristics or behavioral detection you will miss a ton of malicious activity. Most well-designed malware is created with heuristic detection in mind. Even if you tuning up heuristics to where they are somewhat effective, it also typically degrades user experience. In a lab you can see this. Most variants reveal no detection on places such as VirusTotal.com until hours later, which is all it takes.

Thank you for showing restraint on your use of the word cyber. It’s used a nauseating amount and in many inappropriate contexts around the news, so it’s refreshing to read an infosec article that doesn’t make me nauseous.

I agree that as of now the best solution will be layering security and trying to promote consumers to be aware of the problem in order to try to event it. But with technology constantly changing, do you think that somewhere in the future there will be something that can protect from all of these things? The IT industry is growing more and more every day and always coming up with new solutions to problems.

Chrome will no longer allow Shockwave Flash to operate. A yellow bar at the top of the page tells me Schockwave won’t load. The browser is up to date. ( I use Qualys) I checked the “plugins” section of Advanced Settings-Privacy, etc, and all is well there.

Is anyone familiar with this–in an HP system, or not? HP’s forums don’t seem to have a category for this sort of problem.

Chrome uses its own java and flash, you can’t install anything that isn’t on the Chrome store site as an extension. I had EMET 4.1 installed a while back, and saw no Chrome problems, I need to go back to it. I reverted to the 3.o version for a while because of IE9 issues, but I think I could mitigate those now.

I’m not sure how this relates to HPs. Two of my network machines are HPs and I’m not having any trouble with Chrome, that I can think of, anyway.

Problem solved: it turns out that (for my machine) it’s necessary to check the “always allow” box for Flash and Shockwave at the Chrome plug-in management page. I’d assumed that not having the plug-ins disabled was sufficient. Thanks for the help.

Adobe gets a bad rap, but they are decent at providing security patches and automatic updates. Also, with Chrome… Flash can be sandboxed, mitigating much of the risk

Oracle, JAVA on the other hand is an utter nightmare. The security of Java has more holes than a block of swiss cheese.

Updates to free Java come out very slowly, even when being exploited, and are often batched.

Also, Java’s “automatic update” functionality” is obtrusive and not very good — they always seem to be trying to trick you into getting a new toolbar with every update and turning BACK ON the Java applets feature that you had manually disabled.

Also, JAVA5 and JAVA6 are widely used. Many network devices and end user packaged products still require the versions of Java to be installed to manage network equipment, not compatible with JAVA7 or JAVA8.

Every 3 years, Oracle decides the previous version of free Java is “End of Life”, and stops making security updates for it — even though the vast majority of Java users are not free to upgrade, due to application incompatibility.

No home user is going to pay Oracle 10 grande a year for security updates… ergo, there are a lot of vulnerable Java versions running around that CANNOT be remediated.